Appendix D: Botnet Vendors - The advantage of honeypots

Anti-virus companies like Symantec are interested in obtaining information about Botnets as they provide an excellent source on new kinds of malware. Once collected, these organizations publish information on Botnets, unfortunately at times this information is not enough. We can leverage honeypots to collect the necessary information ourselves as we demonstrate below. When it comes to publishing information on Botnets, organizations like Symantec take two common approaches.

If the binary of the bot is recognized, it is ignored as its already known and documented.

If the binary of the bot requires a new signature, they can publish data about the Botnet server.

We think that it is better to choose the second option. People who are using a virus scanner are not potential conscription victims, and nobody wants his Botnet getting published. But we show now that the information that is published by Symantec is not enough to actually track Botnets - it is just a pressure for the operators. The following section is an irssi session connecting and watching two Botnets. Commands and comments issued by us are formatted.

So we got the following information about this Botnet: It is a single-server network with about 10.000 clients on 26 channels. The server is listening on seven ports, but we lack any information about channels names or nickname structure. Thus we can not track botnets as close as we want to. The only possibility is to just add a randomly named client to that server. Maybe the operators of the botnet do not notice this strange client. And if we have a bit luck, they send interesting information to all clients via WALLMSG or the server gets linked somewhere.

This time, we could even collect less information (but some very interesting one). Again, we can't use the information to sneak a bot into the Botnet.

These three examples show that we can not rely on 3rd party information about existing Botnets. We have to collect these information ourselves using own Honeynets. Even though two of the three examples are unstripped and bad configured IRC daemons, we are not able to gain enough sensitive information. Incomplete information like Symantec offers just inform others about existing Botnets. But we are not able to collect any data about the Botnet usage or the botnetters themselves. We thus can not learn more about the tactics and motives of the operators of the Botnets with information provided only by others. We have to track Botnets ourselves and Honeypots are a perfect solution to help us in gathering the necessary information.